Telegram ZDI-CAN-30207: critical zero-click claim appears in coordinated disclosure window

Photo by protect.computer (custom explainer graphic) on protect.computer

What happened

A new entry in the Zero Day Initiative (ZDI) upcoming advisories table lists ZDI-CAN-30207 for Telegram, with high-impact severity metadata and a coordinated disclosure deadline window.

At time of writing, technical exploit details are not public in the ZDI listing, which is typical during vendor remediation windows.

Public reporting around the listing includes claims of potential no-click impact paths, but Telegram has also publicly disputed at least some sticker-based exploitation narratives.

Why this matters

Even when details are withheld, a high-severity coordinated disclosure entry for a major messaging platform is operationally relevant:

• Attackers may attempt social engineering around the rumor cycle.
• Defenders need a short-term hardening stance before a full technical advisory lands.
• Organizations that rely on Telegram for sensitive coordination should reduce exposure to unknown senders and untrusted media paths.

This is a watch-and-harden situation: act on practical risk reduction now, then update quickly when official technical details are released.

How to check if you’re affected

Potentially affected users/environments (precautionary):

• Teams using Telegram on unmanaged or lightly monitored endpoints.
• Users who accept messages/media from unknown contacts.
• High-risk profiles (journalists, activists, executives, incident responders) who rely on Telegram in hostile threat environments.

Practical verification + hardening steps now:

1. Inventory Telegram usage

   • Identify which teams/devices use Telegram (mobile, desktop, Linux workstations, BYOD).

2. Restrict message intake from unknown senders

   • Apply stricter privacy/message controls where available (especially business/admin accounts).

3. Reduce automatic media handling risk

   • Disable unnecessary auto-download behaviors and limit background media processing where possible.

4. Raise monitoring around Telegram endpoints

   • Watch for unusual process/network activity on devices with Telegram installed.

5. Prepare fast update/containment path

   • Ensure you can rapidly patch, temporarily isolate, or suspend Telegram usage for high-risk roles if a confirmed exploit advisory is published.

Immediate defensive actions

• Treat untrusted Telegram links/media as high-risk until vendor details are fully disclosed.
• Send a short internal advisory so users avoid opening unsolicited content.
• Pre-stage contingency guidance (alternate comms channel) for sensitive teams.

Sources

• https://www.zerodayinitiative.com/advisories/upcoming/ (primary source)
• https://securityaffairs.com/190167/security/its-a-mystery-alleged-unpatched-telegram-zero-day-allows-device-takeover-but-telegram-denies.html
• https://cyberinsider.com/telegram-rejects-claims-of-a-sticker-based-flaw-ahead-of-disclosure/

Bottom line

The ZDI listing is real; broad technical details are not public yet. Don’t wait passively—tighten Telegram exposure now, monitor closely, and be ready to move fast when a full advisory or vendor patch guidance is released.